
 <!DOCTYPE HTML>
<html lang="zh-Hans">
<head>
  <meta charset="UTF-8">
  
    <title>一次简单渗透 | </title>
    <meta name="viewport" content="width=device-width, initial-scale=1,user-scalable=no">
    
    <meta name="author" content="daiker">
    

    
    <meta name="description" content="0x00 前言用的手法都是网上有的，大佬勿喷，只是感觉经历坎坷，记录一下 0x01 初步提权">
<meta name="keywords" content="Web,渗透,提权">
<meta property="og:type" content="article">
<meta property="og:title" content="一次简单渗透">
<meta property="og:url" content="http://www.daiker.com.cn/2017/04/28/一次简单渗透/index.html">
<meta property="og:site_name">
<meta property="og:description" content="0x00 前言用的手法都是网上有的，大佬勿喷，只是感觉经历坎坷，记录一下 0x01 初步提权">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-84aa01fc1f6a28ec.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-4c4a2d9827a9b31a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-9d31a64f9674f2ce.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-e01fed57c1eef5a7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-14abc9daafc591b4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-28c2bb49bd94f115.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-f44812ccbfb92bed.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-fc09a317d6e3c548.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-532935c125981af6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-5e4d45f1f646e7ea.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-4fa93f83c10bc7bf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-8a68011405a19897.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-1329a5263b171786.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-c07b6855bd9f9fa7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-8fc7c98f82b0b309.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-aba7ac0f4cd6b165.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:updated_time" content="2018-01-01T16:14:24.000Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="一次简单渗透">
<meta name="twitter:description" content="0x00 前言用的手法都是网上有的，大佬勿喷，只是感觉经历坎坷，记录一下 0x01 初步提权">
<meta name="twitter:image" content="http://upload-images.jianshu.io/upload_images/5443560-84aa01fc1f6a28ec.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta name="twitter:creator" content="@daikersec">

    
    <link rel="alternative" href="/atom.xml" title="" type="application/atom+xml">
    
    
    <link rel="icon" href="/img/favicon.png">
    
    
    <link rel="apple-touch-icon" href="/img/jacman.jpg">
    <link rel="apple-touch-icon-precomposed" href="/img/jacman.jpg">
    
    <link rel="stylesheet" href="/css/style.css">
</head>

  <body>
    <header>
      
<div>
		
			<div id="imglogo">
				<a href="/"><img src="/img/logo.png" alt="" title=""/></a>
			</div>
			
			<div id="textlogo">
				<h1 class="site-name"><a href="/" title=""></a></h1>
				<h2 class="blog-motto"></h2>
			</div>
			<div class="navbar"><a class="navbutton navmobile" href="#" title="Menu">
			</a></div>
			<nav class="animated">
				<ul>
					<ul>
					 
						<li><a href="/">首页</a></li>
					
						<li><a href="/archives">归档</a></li>
					
						<li><a href="/tags">标签</a></li>
					
						<li><a href="/categories">分类</a></li>
					
					<li>
 					
						<form class="search" action="http://zhannei.baidu.com/cse/search" target="_blank">
							<label>Search</label>
						<input name="s" type="hidden" value= 6197743525332190000 ><input type="text" name="q" size="30" placeholder="Search"><br>
						</form>
					
					</li>
				</ul>
			</nav>			
</div>
    </header>
    <div id="container">
      <div id="main" class="post" itemscope itemprop="blogPost">
  
	<article itemprop="articleBody"> 
		<header class="article-info clearfix">
  <h1 itemprop="name">
    
      <a href="/2017/04/28/一次简单渗透/" title="一次简单渗透" itemprop="url">一次简单渗透</a>
  </h1>
  <p class="article-author">By
       
		<a href="/about" title="daiker" target="_blank" itemprop="author">daiker</a>
		
  <p class="article-time">
    <time datetime="2017-04-28T11:38:25.000Z" itemprop="datePublished"> Published 2017-04-28</time>
    
  </p>
</header>
	<div class="article-content">
		
		<div id="toc" class="toc-article">
			<strong class="toc-title">Contents</strong>
		
			<ol class="toc"><li class="toc-item toc-level-5"><a class="toc-link" href="#0x00-前言"><span class="toc-number">1.</span> <span class="toc-text"><a href="#0x00-&#x524D;&#x8A00;" class="headerlink" title="0x00 &#x524D;&#x8A00;"></a>0x00 &#x524D;&#x8A00;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x01-初步提权"><span class="toc-number">2.</span> <span class="toc-text"><a href="#0x01-&#x521D;&#x6B65;&#x63D0;&#x6743;" class="headerlink" title="0x01 &#x521D;&#x6B65;&#x63D0;&#x6743;"></a>0x01 &#x521D;&#x6B65;&#x63D0;&#x6743;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x02-添加账号"><span class="toc-number">3.</span> <span class="toc-text"><a href="#0x02-&#x6DFB;&#x52A0;&#x8D26;&#x53F7;" class="headerlink" title="0x02 &#x6DFB;&#x52A0;&#x8D26;&#x53F7;"></a>0x02 &#x6DFB;&#x52A0;&#x8D26;&#x53F7;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x03-远程连接"><span class="toc-number">4.</span> <span class="toc-text"><a href="#0x03-&#x8FDC;&#x7A0B;&#x8FDE;&#x63A5;" class="headerlink" title="0x03 &#x8FDC;&#x7A0B;&#x8FDE;&#x63A5;"></a>0x03 &#x8FDC;&#x7A0B;&#x8FDE;&#x63A5;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x04-搞管理员账号密码"><span class="toc-number">5.</span> <span class="toc-text"><a href="#0x04-&#x641E;&#x7BA1;&#x7406;&#x5458;&#x8D26;&#x53F7;&#x5BC6;&#x7801;" class="headerlink" title="0x04 &#x641E;&#x7BA1;&#x7406;&#x5458;&#x8D26;&#x53F7;&#x5BC6;&#x7801;"></a>0x04 &#x641E;&#x7BA1;&#x7406;&#x5458;&#x8D26;&#x53F7;&#x5BC6;&#x7801;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x05-账号克隆"><span class="toc-number">6.</span> <span class="toc-text"><a href="#0x05-&#x8D26;&#x53F7;&#x514B;&#x9686;" class="headerlink" title="0x05 &#x8D26;&#x53F7;&#x514B;&#x9686;"></a>0x05 &#x8D26;&#x53F7;&#x514B;&#x9686;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x06-总结"><span class="toc-number">7.</span> <span class="toc-text"><a href="#0x06-&#x603B;&#x7ED3;" class="headerlink" title="0x06 &#x603B;&#x7ED3;"></a>0x06 &#x603B;&#x7ED3;</span></a></li></ol>
		
		</div>
		
		<h5 id="0x00-前言"><a href="#0x00-前言" class="headerlink" title="0x00 前言"></a>0x00 前言</h5><p>用的手法都是网上有的，大佬勿喷，只是感觉经历坎坷，记录一下</p>
<h5 id="0x01-初步提权"><a href="#0x01-初步提权" class="headerlink" title="0x01 初步提权"></a>0x01 初步提权</h5><p><img src="http://upload-images.jianshu.io/upload_images/5443560-84aa01fc1f6a28ec.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br><a id="more"></a><br>freehost，免费的?<br>net user一下，</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-4c4a2d9827a9b31a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png">  </p>
<p>顿时感觉头都大了，应该是同服站点，每个人一个账号，这种权限划分特别严格，不好搞。<br>但不管怎么样，开始搞吧。试一下systeminfo。</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-9d31a64f9674f2ce.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png">  </p>
<p>Windows2008 r2 64位服务器，还有打补丁，，pr肯定不行，传个巴西烤肉，还是不行。<br>试下窃取口令的工具incognito</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-e01fed57c1eef5a7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png">  </p>
<p>只能列出同等级的，不能提权。<br>刚要试试数据库提权，大佬@wyAtu告诉我说可以用ms15-051。试了一个32位，不行，，只得换成64位的，，成功了</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-14abc9daafc591b4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png">  </p>
<p>还是System权限，添加个账号，开3389就可以去吃饭了。</p>
<h5 id="0x02-添加账号"><a href="#0x02-添加账号" class="headerlink" title="0x02 添加账号"></a>0x02 添加账号</h5><p>添加账号<br><img src="http://upload-images.jianshu.io/upload_images/5443560-28c2bb49bd94f115.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>加进管理员组</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-f44812ccbfb92bed.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>不是system权限吗，，百思不得其解。先留着。。去连连3389玩玩。(后来才知道是安全狗拦着，大佬们给了很多建议，怎么杀狗，后来添加也没什么用，就没搞了，详见下文)</p>
<h5 id="0x03-远程连接"><a href="#0x03-远程连接" class="headerlink" title="0x03 远程连接"></a>0x03 远程连接</h5><p>端口扫描</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-fc09a317d6e3c548.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>没开3389，奇怪，那就帮他开个。。。可是死活打不开。。。<br>很奇怪，忽然想到，，这种服务器应该不可能没开3389啊，估计把端口改了。<br>tasklist /svc</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-532935c125981af6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>找到pid 2128,netstat -ano   </p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-5e4d45f1f646e7ea.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt=""><br>果然，，开放端口43852。试着连接一下。</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-4fa93f83c10bc7bf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>失败了，怎么会这样呢<br>难道是内网?，查ip也不是啊。<br>不管了，端口转发一下。。</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-8a68011405a19897.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png">  </p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-1329a5263b171786.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png">  </p>
<p>连接成功，有些人可能没有公网作为中转，可以试试<code>-tran 5555 127.0.0.1 43852</code>。<br>因为这里比较特殊，不是内网，而是通过策略禁止别人远程连接，因此转移个端口就够了。</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-c07b6855bd9f9fa7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>WTF…………………….<br>只有特定用户能登陆。那我估计添加账号也没有什么用了。。<br>windows下权限再高不能连接3389有鸟用。这是只能默念我是system，可以做一切事情。</p>
<h5 id="0x04-搞管理员账号密码"><a href="#0x04-搞管理员账号密码" class="headerlink" title="0x04 搞管理员账号密码"></a>0x04 搞管理员账号密码</h5><p>先上传猕猴桃 mimikatz。。系统进程一直卡死在那里。不懂为什么，试试下一个<br>Pwdump7<br><img src="http://upload-images.jianshu.io/upload_images/5443560-8fc7c98f82b0b309.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>密码解不开..GG<br>最后朋友@<a href="http://www.iFurySt.com" target="_blank" rel="noopener">iFurySt</a>推荐了一个神器，说是可以直接抓明文密码的wce</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-aba7ac0f4cd6b165.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>终于抓到了，，试了一下。。还是不行。。估计抓到的是缓存的密码。密码已经改了。。<br>山穷水复。。</p>
<h5 id="0x05-账号克隆"><a href="#0x05-账号克隆" class="headerlink" title="0x05 账号克隆"></a>0x05 账号克隆</h5><p>最后才想起用它。。居然加不了管理员。。那我把管理员的克隆过来总可以了吧。<br>为了小心。。我用Guest账号吧</p>
<ol>
<li>激活 <code>net user Guest /active:yes</code></li>
<li>导出注册表 <code>reg export &quot;HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4&quot; &quot;x:\1.reg</code></li>
<li>导入注册表 <code>regedit /s x:/1.reg</code><br>但是登陆的时候由于策略原因导致空口了不能登陆。这时候给guest改下密码就可以</li>
</ol>
<h5 id="0x06-总结"><a href="#0x06-总结" class="headerlink" title="0x06 总结"></a>0x06 总结</h5><p>这篇的环境是</p>
<ul>
<li>提权成功，拿到system权限</li>
<li>安全狗禁止添加管理员账号</li>
<li>策略原因禁止外部IP访问</li>
<li>远程连接只允许管理员的那个账号登录(不是管理员就可以登录)</li>
</ul>
  
	</div>
		<footer class="article-footer clearfix">
<div class="article-catetags">

<div class="article-categories">
  <span></span>
  <a class="article-category-link" href="/categories/渗透测试/">渗透测试</a>
</div>


  <div class="article-tags">
  
  <span></span> <a href="/tags/Web/">Web</a><a href="/tags/渗透/">渗透</a><a href="/tags/提权/">提权</a>
  </div>

</div>



	<div class="article-share" id="share">
	
	  <div data-url="http://www.daiker.com.cn/2017/04/28/一次简单渗透/" data-title="一次简单渗透 | " data-tsina="5688081717" class="share clearfix">
	  </div>
	
	</div>


</footer>

   	       
	</article>
	
<nav class="article-nav clearfix">
 
 <div class="prev" >
 <a href="/2017/05/04/CTF中代码审计小trick(未完)/" title="CTF中代码审计小trick(未完)">
  <strong>上一篇：</strong><br/>
  <span>
  CTF中代码审计小trick(未完)</span>
</a>
</div>


<div class="next">
<a href="/2017/04/18/hackinglab-3/"  title="hackinglab上传关">
 <strong>下一篇：</strong><br/> 
 <span>hackinglab上传关
</span>
</a>
</div>

</nav>

	
<section id="comments" class="comment">
	<div class="ds-thread" data-thread-key="2017/04/28/一次简单渗透/" data-title="一次简单渗透" data-url="http://www.daiker.com.cn/2017/04/28/一次简单渗透/"></div>
</section>




</div>  
      <div class="openaside"><a class="navbutton" href="#" title="Show Sidebar"></a></div>

  <div id="toc" class="toc-aside">
  <strong class="toc-title">Contents</strong>
 
 <ol class="toc"><li class="toc-item toc-level-5"><a class="toc-link" href="#0x00-前言"><span class="toc-number">1.</span> <span class="toc-text"><a href="#0x00-&#x524D;&#x8A00;" class="headerlink" title="0x00 &#x524D;&#x8A00;"></a>0x00 &#x524D;&#x8A00;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x01-初步提权"><span class="toc-number">2.</span> <span class="toc-text"><a href="#0x01-&#x521D;&#x6B65;&#x63D0;&#x6743;" class="headerlink" title="0x01 &#x521D;&#x6B65;&#x63D0;&#x6743;"></a>0x01 &#x521D;&#x6B65;&#x63D0;&#x6743;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x02-添加账号"><span class="toc-number">3.</span> <span class="toc-text"><a href="#0x02-&#x6DFB;&#x52A0;&#x8D26;&#x53F7;" class="headerlink" title="0x02 &#x6DFB;&#x52A0;&#x8D26;&#x53F7;"></a>0x02 &#x6DFB;&#x52A0;&#x8D26;&#x53F7;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x03-远程连接"><span class="toc-number">4.</span> <span class="toc-text"><a href="#0x03-&#x8FDC;&#x7A0B;&#x8FDE;&#x63A5;" class="headerlink" title="0x03 &#x8FDC;&#x7A0B;&#x8FDE;&#x63A5;"></a>0x03 &#x8FDC;&#x7A0B;&#x8FDE;&#x63A5;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x04-搞管理员账号密码"><span class="toc-number">5.</span> <span class="toc-text"><a href="#0x04-&#x641E;&#x7BA1;&#x7406;&#x5458;&#x8D26;&#x53F7;&#x5BC6;&#x7801;" class="headerlink" title="0x04 &#x641E;&#x7BA1;&#x7406;&#x5458;&#x8D26;&#x53F7;&#x5BC6;&#x7801;"></a>0x04 &#x641E;&#x7BA1;&#x7406;&#x5458;&#x8D26;&#x53F7;&#x5BC6;&#x7801;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x05-账号克隆"><span class="toc-number">6.</span> <span class="toc-text"><a href="#0x05-&#x8D26;&#x53F7;&#x514B;&#x9686;" class="headerlink" title="0x05 &#x8D26;&#x53F7;&#x514B;&#x9686;"></a>0x05 &#x8D26;&#x53F7;&#x514B;&#x9686;</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#0x06-总结"><span class="toc-number">7.</span> <span class="toc-text"><a href="#0x06-&#x603B;&#x7ED3;" class="headerlink" title="0x06 &#x603B;&#x7ED3;"></a>0x06 &#x603B;&#x7ED3;</span></a></li></ol>
 
  </div>

<div id="asidepart">
<div class="closeaside"><a class="closebutton" href="#" title="Hide Sidebar"></a></div>
<aside class="clearfix">

  
<div class="github-card">
<p class="asidetitle">Github Card</p>
<div class="github-card" data-github="daikersec" data-theme="medium"></div>
<script type="text/javascript" src="//cdn.jsdelivr.net/github-cards/latest/widget.js" ></script>
</div>



  
<div class="categorieslist">
	<p class="asidetitle">Categories</p>
		<ul>
		
		  
			<li><a href="/categories/ctf/" title="ctf">ctf<sup>5</sup></a></li>
		  
		
		  
			<li><a href="/categories/注入/" title="注入">注入<sup>1</sup></a></li>
		  
		
		  
			<li><a href="/categories/渗透测试/" title="渗透测试">渗透测试<sup>1</sup></a></li>
		  
		
		  
			<li><a href="/categories/漏洞研究/" title="漏洞研究">漏洞研究<sup>1</sup></a></li>
		  
		
		</ul>
</div>


  
<div class="tagslist">
	<p class="asidetitle">Tags</p>
		<ul class="clearfix">
		
			
				<li><a href="/tags/Web/" title="Web">Web<sup>8</sup></a></li>
			
		
			
				<li><a href="/tags/ctf/" title="ctf">ctf<sup>6</sup></a></li>
			
		
			
				<li><a href="/tags/hackinglab/" title="hackinglab">hackinglab<sup>2</sup></a></li>
			
		
			
				<li><a href="/tags/漏洞研究/" title="漏洞研究">漏洞研究<sup>2</sup></a></li>
			
		
			
				<li><a href="/tags/代码审计/" title="代码审计">代码审计<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/php/" title="php">php<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/注入/" title="注入">注入<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/渗透/" title="渗透">渗透<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/提权/" title="提权">提权<sup>1</sup></a></li>
			
		
		</ul>
</div>


  
  <div class="archiveslist">
    <p class="asidetitle"><a href="/archives">Archives</a></p>
      <ul class="archive-list"><li class="archive-list-item"><a class="archive-list-link" href="/archives/2018/02/">February 2018</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/12/">December 2017</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/07/">July 2017</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/05/">May 2017</a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/04/">April 2017</a><span class="archive-list-count">3</span></li></ul>
  </div>


  <div class="rsspart">
	<a href="/atom.xml" target="_blank" title="rss">RSS</a>
</div>

</aside>
</div>
    </div>
    <footer><div id="footer" >
	
	<div class="line">
		<span></span>
		<div class="author"></div>
	</div>
	
	
	<div class="social-font" class="clearfix">
		
		<a href="http://weibo.com/daikersec" target="_blank" class="icon-weibo" title="微博"></a>
		
		
		<a href="https://github.com/daikersec" target="_blank" class="icon-github" title="github"></a>
		
		
		
		<a href="https://twitter.com/daikersec" target="_blank" class="icon-twitter" title="twitter"></a>
		
		
		
		
		
		
		
		<a href="mailto:daikersec@gmail.com" target="_blank" class="icon-email" title="Email Me"></a>
		
	</div>
			
		

		<p class="copyright">
		Powered by <a href="http://hexo.io" target="_blank" title="hexo">hexo</a> and Theme by <a href="https://github.com/wuchong/jacman" target="_blank" title="Jacman">Jacman</a> © 2018 
		
		<a href="/about" target="_blank" title="daiker">daiker</a>
		
		
		</p>
</div>
</footer>
    <script src="/js/jquery-2.0.3.min.js"></script>
<script src="/js/jquery.imagesloaded.min.js"></script>
<script src="/js/gallery.js"></script>
<script src="/js/jquery.qrcode-0.12.0.min.js"></script>

<script type="text/javascript">
$(document).ready(function(){ 
  $('.navbar').click(function(){
    $('header nav').toggleClass('shownav');
  });
  var myWidth = 0;
  function getSize(){
    if( typeof( window.innerWidth ) == 'number' ) {
      myWidth = window.innerWidth;
    } else if( document.documentElement && document.documentElement.clientWidth) {
      myWidth = document.documentElement.clientWidth;
    };
  };
  var m = $('#main'),
      a = $('#asidepart'),
      c = $('.closeaside'),
      o = $('.openaside');
  c.click(function(){
    a.addClass('fadeOut').css('display', 'none');
    o.css('display', 'block').addClass('fadeIn');
    m.addClass('moveMain');
  });
  o.click(function(){
    o.css('display', 'none').removeClass('beforeFadeIn');
    a.css('display', 'block').removeClass('fadeOut').addClass('fadeIn');      
    m.removeClass('moveMain');
  });
  $(window).scroll(function(){
    o.css("top",Math.max(80,260-$(this).scrollTop()));
  });
  
  $(window).resize(function(){
    getSize(); 
    if (myWidth >= 1024) {
      $('header nav').removeClass('shownav');
    }else{
      m.removeClass('moveMain');
      a.css('display', 'block').removeClass('fadeOut');
      o.css('display', 'none');
      
      $('#toc.toc-aside').css('display', 'none');
        
    }
  });
});
</script>

<script type="text/javascript">
$(document).ready(function(){ 
  var ai = $('.article-content>iframe'),
      ae = $('.article-content>embed'),
      t  = $('#toc'),
      ta = $('#toc.toc-aside'),
      o  = $('.openaside'),
      c  = $('.closeaside');
  if(ai.length>0){
    ai.wrap('<div class="video-container" />');
  };
  if(ae.length>0){
   ae.wrap('<div class="video-container" />');
  };
  c.click(function(){
    ta.css('display', 'block').addClass('fadeIn');
  });
  o.click(function(){
    ta.css('display', 'none');
  });
  $(window).scroll(function(){
    ta.css("top",Math.max(140,320-$(this).scrollTop()));
  });
});
</script>


<script type="text/javascript">
$(document).ready(function(){ 
  var $this = $('.share'),
      url = $this.attr('data-url'),
      encodedUrl = encodeURIComponent(url),
      title = $this.attr('data-title'),
      tsina = $this.attr('data-tsina'),
      description = $this.attr('description');
  var html = [
  '<div class="hoverqrcode clearfix"></div>',
  '<a class="overlay" id="qrcode"></a>',
  '<a href="https://www.facebook.com/sharer.php?u=' + encodedUrl + '" class="article-share-facebook" target="_blank" title="Facebook"></a>',
  '<a href="https://twitter.com/intent/tweet?url=' + encodedUrl + '" class="article-share-twitter" target="_blank" title="Twitter"></a>',
  '<a href="#qrcode" class="article-share-qrcode" title="微信"></a>',
  '<a href="http://widget.renren.com/dialog/share?resourceUrl=' + encodedUrl + '&srcUrl=' + encodedUrl + '&title=' + title +'" class="article-share-renren" target="_blank" title="人人"></a>',
  '<a href="http://service.weibo.com/share/share.php?title='+title+'&url='+encodedUrl +'&ralateUid='+ tsina +'&searchPic=true&style=number' +'" class="article-share-weibo" target="_blank" title="微博"></a>',
  '<span title="Share to"></span>'
  ].join('');
  $this.append(html);

  $('.hoverqrcode').hide();

  var myWidth = 0;
  function updatehoverqrcode(){
    if( typeof( window.innerWidth ) == 'number' ) {
      myWidth = window.innerWidth;
    } else if( document.documentElement && document.documentElement.clientWidth) {
      myWidth = document.documentElement.clientWidth;
    };
    var qrsize = myWidth > 1024 ? 200:100;
    var options = {render: 'image', size: qrsize, fill: '#2ca6cb', text: url, radius: 0.5, quiet: 1};
    var p = $('.article-share-qrcode').position();
    $('.hoverqrcode').empty().css('width', qrsize).css('height', qrsize)
                          .css('left', p.left-qrsize/2+20).css('top', p.top-qrsize-10)
                          .qrcode(options);
  };
  $(window).resize(function(){
    $('.hoverqrcode').hide();
  });
  $('.article-share-qrcode').click(function(){
    updatehoverqrcode();
    $('.hoverqrcode').toggle();
  });
  $('.article-share-qrcode').hover(function(){}, function(){
      $('.hoverqrcode').hide();
  });
});   
</script>



<script type="text/javascript">
  var duoshuoQuery = {short_name:"嘟嘟MD"};
  (function() {
    var ds = document.createElement('script');
    ds.type = 'text/javascript';ds.async = true;
    ds.src = '//static.duoshuo.com/embed.js';
    ds.charset = 'UTF-8';
    (document.getElementsByTagName('head')[0] 
    || document.getElementsByTagName('body')[0]).appendChild(ds);
  })();
</script> 









<link rel="stylesheet" href="/fancybox/jquery.fancybox.css" media="screen" type="text/css">
<script src="/fancybox/jquery.fancybox.pack.js"></script>
<script type="text/javascript">
$(document).ready(function(){ 
  $('.article-content').each(function(i){
    $(this).find('img').each(function(){
      if ($(this).parent().hasClass('fancybox')) return;
      var alt = this.alt;
      if (alt) $(this).after('<span class="caption">' + alt + '</span>');
      $(this).wrap('<a href="' + this.src + '" title="' + alt + '" class="fancybox"></a>');
    });
    $(this).find('.fancybox').each(function(){
      $(this).attr('rel', 'article' + i);
    });
  });
  if($.fancybox){
    $('.fancybox').fancybox();
  }
}); 
</script>



<!-- Analytics Begin -->



<script>
var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  hm.src = "//hm.baidu.com/hm.js?2a1c7e2856fa901812e41edbfcef616e";
  var s = document.getElementsByTagName("script")[0]; 
  s.parentNode.insertBefore(hm, s);
})();
</script>



<!-- Analytics End -->

<!-- Totop Begin -->

	<div id="totop">
	<a title="Back to Top"><img src="/img/scrollup.png"/></a>
	</div>
	<script src="/js/totop.js"></script>

<!-- Totop End -->

<!-- MathJax Begin -->
<!-- mathjax config similar to math.stackexchange -->

<script type="text/x-mathjax-config">
  MathJax.Hub.Config({
    tex2jax: {
      inlineMath: [ ['$','$'], ["\\(","\\)"] ],
      processEscapes: true
    }
  });
</script>

<script type="text/x-mathjax-config">
    MathJax.Hub.Config({
      tex2jax: {
        skipTags: ['script', 'noscript', 'style', 'textarea', 'pre', 'code']
      }
    });
</script>

<script type="text/x-mathjax-config">
    MathJax.Hub.Queue(function() {
        var all = MathJax.Hub.getAllJax(), i;
        for(i=0; i < all.length; i += 1) {
            all[i].SourceElement().parentNode.className += ' has-jax';
        }
    });
</script>

<script type="text/javascript" src="http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>


<!-- MathJax End -->

<!-- Tiny_search Begin -->

<!-- Tiny_search End -->

  </body>
</html>
